The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics",
as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".

Saturday, June 23, 2012

When was a file accessed?

One of the aspects of Windows analysis that I discuss in the courses we're offering is that the version of Windows you're analyzing is significant. For
example, as of Windows Vista, updating of file system last accessed
times, as a result of normal user behavior, is disabled by default. However, even though we can't look to file accesses times as an indication of when a user accessed the files, there are a number of artifacts on Windows systems, in
particular Windows 7, which will tell us not only that a user accessed a
file (based on the context of those artifacts), but also when. As such, we can add category IDs or tags (i.e., "[File Access]") to those events (something that I've discussed previously) in order to make them much easier to identify in timelines, as well as in other reporting formats.

I'll take a moment a discuss a few of the artifact sources we can use on Windows 7 systems that provide indications of file access...

LNK Files
One of the ways that LNK files are created on a system is that a user will double-click a file which is located somewhere on that system, on removable media, or even on a network share. When this happens, a shortcut file that points to the target will be created in the user's Recent folder. The operating system will select the appropriate application (based on the extension of the target file) with which to open the file.

As such, under "normal" circumstances, the creation date of the LNK file would correspond to when the target file was first accessed, and the last modification date of the LNK file would correspond to when the target file was most recently accessed. [Ref: Harry Parsonage's excellent "The Meaning of LIFE" white paper.]

Jump Lists
On Windows 7 systems, we now have new Task Bar artifacts called Jump Lists available for analysis. The AutomaticDestinations Jump Lists are produced by activities very similar to those associated with LNK files, with the added advantage that the Jump Lists are associated with an application (based on the AppID), as well as with a user.

Let's say that the user accesses a Word .docx file by double-clicking it. When this happens, an LNK file is created, and a Jump List associated with the version of MS Word installed on the system is created, if it doesn't already exist. These Jump Lists are based on the MS Compound Document format, and an entry that contains an LNK stream is created within the Jump List file, and a structure is added to the DestList stream within the Jump List. When the file is accessed and the DestList stream structure is added, the time of the activity is included within that structure. This time can be used to illustrate the most recent time the user accessed that file.

As the LNK streams that point to the target file are not files themselves, they do not have MACB file system times specifically associated with each of them. They do contain the MA.B times of the target file, embedded within the stream, as they follow the binary format specification described by MS.

MRU Lists
There are a number of Registry keys (specifically within the user's NTUSER.DAT hive file) that maintain references to files that the user has accessed. Some, such as the RecentDocs key, maintain simply names of files, while others, such as the Paint subkey beneath the user's Applets key (see the RegRipper applets.pl plugin), provide the full path to the file. Many of these keys also contain Most Recently Used entries, indicating that the key's LastWrite time may reflect when the appropriately listed file was most recently accessed.

Document Metadata
There are a number of file formats that allow for metadata to be stored within the file itself. MS Office has long been known for providing a good deal of (potentially embarrassing) metadata. While more recent formats of MS Office documents don't contain as much metadata as previous versions, we may still be able to use this information to provide indications of file access.

VSCs
Let's not forget that previous versions of each of the artifacts we've discussed so far may be located within available Volume Shadow Copies; as such, we may want to take a targeted (perhaps even laser-focused) approach to parsing previous versions of each of these artifacts for comparative, historical data.

Summary
As you can see, even though the updating of last access times for files is disabled by default on Windows systems as of Vista, this doesn't mean that we can't determine when a user accessed particular files.

6 comments:

Jimmy_Weg
said...

And, as you've pointed out, the lack of an artifact may be an artifact. When MRUs are missing, one may want to check to see whether MRU'ing was disabled within the OS or by an app like CClearner. Also, some MRUs seem to have been replaced by JumpLists. I've found that MSIE index records typically are the most prolific, if not the best, evidence of access. Lastly, I've seen one XP system in which access stamping was disabled, so I've become accustomed to checking the reg in XP exams for that value's setting.

Talking about CCleaner, does anyone have any forensic insight into how well it works (by way of artifacts). I'm currently investigating a Vista volume and i'm not seeing much in the usual places. If I'm thinking properly I may have to go through the events prior to CCleaner being installed and ran. Thanks guys, keep up the great work!

Assuming that it was installed, you may find existing/deleted Prefetch and UserAssist, but CC can be set to remove them. Wiping free space is optional. It does a good job of wiping files, though you may find MFT records with file names like ZZZZZZZ. The defaullt is simple deletion, and it can run on startup. Look in $UsnJrnl, too. The CC registry provides the settings, or run a VM to see for yourself.

Harlan and Jimmy thank you both for the information - yes, CC was searched for, downloaded and ran, but I dont see the typical .zzzzzz extensions. It looks like I will go through the VSC exercise to see if there are any VSC's before the run date of CC. What I need to get is specific - "Internet History"